Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.awolfe-grc.info
I ran this command: sudo certbot --nginx
It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.awolfe-grc.info
Waiting for verificationā¦
Cleaning up challenges
An unexpected error occurred:
The request message was malformed :: Certificate not found
My web server is (include version):Nginx 1.18.0
The operating system my web server runs on is (include version):Ubuntu 20
My hosting provider, if applicable, is: none
I can login to a root shell on my machine (yes or no, or I donāt know):Yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youāre using Certbot):1.6.0
All seems to work until I get to the end when I get the Cert not found error not sure where to look to troubleshoot.
This is just a very basic site I am just doing some testing on run on a simple server with nothing else running. It is behind a NAT/ firewall so only 80 and 443 are passed to the server from the public IP
Could you please paste the output of letsencrypt.log between three backticks? (I.e., above and below the output of the log put ``` on a single line.)
Alternatively you could also run certbot again with the same options but with -v (for verbose) added. This provides more info, but I think a little less than the log file, which is ridiculously verbose)
Strangeā¦ For some reason youāre getting a certificate issued (see https://crt.sh/?id=3082916701 for your certificate), but the Letās Encrypt server canāt find it itself?
First thanks for the help!!! A few things I am using the beta Snap version of the Certbot not sure if that is causing issues. Second when I go to the link in your message crt.sh I get a bad gateway.
@lestaff this does seem like a fairly concerning internal CA issue if the ACME endpoint sometimes canāt successfully look up its own issued certificates.
I dug deeper in the logs and found the answer: Certbotās request to download the certificate got a timeout trying to request the certificate from the database. Normally that should be a 500 (Internal Server Error). But it looks like Boulder has a bug where it is reporting this particular timeout as a 404 instead. Iāll get that fixed.
Thank you for your help. I am not clear on next steps can I just rerun sudo certbot --nginx and it should work or do I need to use a different method to retrieve the private key and cert?
Right now I have no web cert to use for TLS traffic on the server. If there is a fact-filled document I should read I will take a pointer as well.
In this case youāve only issued one certificate so youāre not likely to run into rate limits. I think you should just re-run sudo certbot --nginx. Now, if that errors again we might want to look at things like manually setting up the certificate retrieved from the URL I shared above, so you donāt run into rate limits. But I think you should succeed if you just try again.
And there was joy in Mudville thank you @jsha and @Osiris for your amazingly fast support.
It looks to be working as expected, boring site but as expected.